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ABSTRACT 


The  word  error  rate  of  an  ensemble  of  cryptographic 
systems  is  determined.  The  word  error  rate  is  specified  as  a 
function  of  the  corresponding  plain-text  bit  error  rate.  Deg¬ 
radation  is  defined  and  computed  for  the  case  of  phase  shift 
keying  and  white  Gaussian  noise.  Finally,  the  effect  of 
differential  encoding  on  a  cryptographic  system  is  investigated. 
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WORD  ERROR  RATES  IN  CRYPTOGRAPHIC  ENSEMBLES 


INTRODUCTION 

In  any  digital  communication  system,  the  transmitted  bits  and  words  have  certain  error 
rates.  When  the  digital  bits  are  enciphered  but  the  other  system  parameters  remain  unchanged, 
these  error  rates  increase.  It  is  the  object  of  this  report  to  obtain  theoretically  a  quantitative 
measure  of  this  degradation. 

A  standard  enciphering  technique  is  the  modulo-2  addition  of  the  plain  text  with  a 
pseudorandom  code  sequence.  Figure  1  shows  an  implementation  in  which  a  four-stage  feed¬ 
back  shift  register  and  exclusive  OR  gates  are  used.  For  each  distinct  setting  of  the  switches, 
there  is  a  different  enciphered  output  stream.  The  corresponding  deciphering  system  is  showr 
in  Fig.  2,  where  the  switches  must  be  sei  in  the  same  manner  as  those  of  the  enciphering 
system.  A  detailed  discussion  of  this  type  of  cryptographic  method  can  be  found  in  the 
literature  (1-4). 

Qualitatively,  the  reason  for  the  degradation  in  cryptographic  systems  is  due  to  the  pres¬ 
ence  of  shift  registers  in  the  enciphering  and  deciphering  mechanisms.  A  bit  error  due  to 
random  noise  will  be  carried  through  a  shift  register,  causing  additional  bit  errors  down  the 
line. 


GENERAL  DISCUSSION 


The  bit  error  rate  for  ordinary  transmission  is  a  function  of  the  modulation  system. 
For  most  modulation  systems,  when  white  Gaussian  noise  is  present,  the  bit  error  rate  has 
the  functional  form  specified  by 


Pb 


(1) 


where  f  is  a  function,  N0  is  the  noise  power  spectral  density,  and  Eb  is  the  mean  energy  for 
a  bit  in  the  ONE  state.  Assuming  that  bit  errors  occur  independently  of  each  other,  the 
associated  word  error  rate  is 


Pw  «  1  -(1  -P6)\  (2) 

where  k  denotes  the  number  of  bits  per  word. 

It  is  shown  in  the  next  section  that  the  corresponding  formulas  for  cryptographic  bits 
and  words  are 


Pcb  *  Pb  (1  -  P6r_1  +  1/2  (1  +  Pb)  [l  —  (1  —  Pb )"-1] ; 


(3) 
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Fig.  1  —  Typical  enciphering  system 


PLAIN  BITS  V 


Fig.  2  —  Corresponding  deciphering  system 


Pcw=  [l-2~*  (l-/>6)*]  [l-(l-P6)"-*] 

fe-1 

+ y  pb  [i  -  2-*(i  -  pb)k]  (i  -  p,,)"-'-1 

i-l 

+  [l  -(1  -Pb)*]  (1  -Pb)n~\  n  >  k; 


(4a) 


n—  i 

Pcw=  pb  [l-2-'(l-Pfr)*]  (l-Pb)«-«-l 
i-l 

+  [l  —  (1  ~Pb)k]  (1  ~Pb)n~l,  n<k. 


where  Pcb  and  Pcw  are  the  ensemble  average  error  rates  of  a  cryptographic  bit  and  a  crypto¬ 
graphic  word  respectively.  In  these  formulas,  n  denotes  the  number  of  bits  affected  by  an 
initial  bit  error.  For  example,  in  the  linear  system  of  Figs.  1  and  2  an  initial  bit  error  at  the 
input  of  the  deciphering  system  is  carried  by  the  shift  register  until  n  —  1  more  Pits  are 
received.  Thus  n  is  equal  to  the  number  of  shift-register  stages  in  the  usual  linear  system. 


It  is  immediately  noticed  that  the  cryptographic-error-rate  formulas  are  written  as 
functions  of  the  bit  error  rate  due  to  random  noise.  If  Eq.  (1)  is  substituted  into  Eqs.  (3) 
and  (4),  there  result  formulas  in  terms  of  Eb.  By  comparing  these  formulas  with  Eqs.  (1) 
and  (2),  we  can  determine  the  increase  in  Eb  required  for  enciphered  bits  or  words  to 
maintain  the  same  error  rates  as  plain  bits  or  words.  This  increase  provides  a  quantitative 
measure  of  cryptographic  degradation. 
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The  cryptographic-error-rate  formulas  are  very  tedious  to  use  in  manual  computations. 
In  many  cases,  approximate  formulas  are  highly  accurate  over  the  range  of  interest.  It  is 
shown  in  the  next  section  that  the  following  approximations  can  be  used: 


Pw 


kPb\ 


(5) 


Pcb 


(6) 


![n  +  k  -  2  —  2“*(n  -  k  -  2)]  Pb,  n  >  k; 

(7) 

[n  +  k  -  2  +  2-(n“1)]  Pb,  n  <  k. 

A  sufficient  condition  under  which  these  equations  are  accurate  for  n  >  1  is 

Pb  <  min  {n-1,  fe-1  },  (8) 

where  the  notation  indicates  that  Pb  must  be  much  less  than  the  smaller  of  the  two  quantities 
in  the  braces. 


PROOF  OF  THE  CRYPTOGRAPHIC  ERROR 
RATE  FORMULAS 

Suppose  an  enciphered  bit  is  erroneously  received  as  a  result  of  random  noise  or  other 
interference.  As  the  erroneous  bit  proceeds  through  the  deciphering  system,  each  of  the 
next  n  —  1  bits  will  be  affected.  We  define  a  “train”  as  a  set  of  n  consecutive  enciphered 
bits,  the  first  of  which  has  been  erroneously  received  due  to  interference. 

The  probability  of  error  for  each  bit  of  a  train  could  be  computed  for  any  specific 
deciphering  system,  e.g.,  the  system  of  Fig.  2  with  the  switch  settings  specified.  However, 
this  computation  would  have  to  be  repeated  each  time  the  configuration  of  the  deciphering 
system  is  altered.  Therefore,  a  more  useful  approach  is  to  consider  the  ensemble  of  all 
possible  cryptographic  systems  with  trains  of  n  bits.  The  average  probability  of  error  for 
each  train  bit  over  this  ensemble  is  one-half,  regardless  of  the  level  of  random  noise  or 
interference.  We  now  derive  the  ensemble  average  probability  of  word  error. 

Consider  an  enciphered  word  of  k  bits.  The  probability  of  a  word  error,  Pcw,  is  defined 
to  be  the  probability  of  one  or  more  erroneous  bits.  The  probability  of  a  word  error  and  a 
train  of  external  origin  extending  into  the  word  is  denoted  by  P(w,t).  If  no  train  of  external 
origin  extends  into  the  word,  the  probability  of  word  error  is  denoted  by  P(u>l  t ).  The  _ 
probability  that  a  train  of  external  origin  does  not  extend  into  a  word  is  denoted  by  P(t  ). 

It  then  follows  from  the  theorem  of  total  probability  that 

Pcw  =  P{w,t)  +  P(w\T )  P(T ).  (9) 
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A  train  will  extend  into  a  word  if,  and  only  if,  one  of  the  n  —  1  bits  immediately  pre¬ 
ceding  the  word  is  in  error  due  to  random  noise.  Thus  assuming  bit  errors  are  uncorrelated, 

P(7)  =  (1  -Pfe)"-1.  (10) 

Clearly,  P(w\t  )  is  the  same  as  the  probability  of  a  word  error  for  plain  text.  From  Eq.  (2) 
we  obtain 


P{w\t)=l-  (1-  Pb)k.  (11) 

To  determine  P(w,  t),  additional  notation  must  be  introduced.  If  i  bits  of  a  train  of 
external  origin  ex*end  into  a  word,  we  denote  this  condition  by  the  sy  mbols  tb  =  i.  For 
example,  P(tb  =  i)  denotes  the  probability  that  a  word  contains  i  externally  generated  Irain 
bits.  Since  P{w,  fUb  =  i)  -  P(w\tb  =  i),  we  can  write 

P(w,  /)  =  P(w\tb  =  k )  P(tb  =  k) 


*1 


P(w\tb  =  «)  P(tb  =  i). 


(12) 


If  at  least  one  of  the  n  —  k  bits  preceding  the  word  is  in  error  and  n  >  k,  it  is  clear 
that  tb  =  ft.  Thus 

(l-(l  ~Pb)n~k,  n>k ; 

PUb  =k)=  <  (13) 

f  0,  n  <  k. 

For  tb  =  i,  where  1  <  i  <  k,  it  is  necessary  that  there  be  an  error  precisely  n  —  i  bits  prior 
to  the  word  but  no  erroneous  bits  among  the  next  n  —  i  —  1  bits.  Therefore,  for  1  <  i  <  k, 

(1  -Pb  )"-*■-*,  n  >  /; 

P{tb  =i)=  <  (14) 

i  0,  n  <  i. 

Substitution  c  r  Eqs.  (10)  through  (14)  into  Eq.  (9)  yields 

Pcw  =  P(w\tb  =  k)  [l  -  (1  -  Pb)n~k]  u(n-k) 

min(fe—  l,n — 1)  (15) 

+  X  = ° Pb(i  ~~ Pb)n  i _1  +  ^ _(1  “ Pb)k ] (i  - 

h  1 

where  u(n  —  fe)  is  a  step  function,  i.e.,  u(n  —  k)  is  zero  for  n  <  k  and  is  one  for  n  >  k. 

Note  that  in  the  summation  term,  i  extends  to  the  least  of  the  two  integers  k  —  1  and 
n  —  1.  To  reduce  Fq.  (15)  further,  we  would  have  to  know  the  exact  configuration  of  the 
cryptographic  system,  since  P(u>U6  =  k)  and  the  P{w\tb  =  i)  depend  on  the  interaction  of  train 
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bits.  As  mentioned  previously,  it  is  more  relevant  to  derive  the  average  of  Pcw  over  the 
ensemble  of  all  possible  cryptographic  systems  characterized  by  a  specific  value  of  the 
parameter  n. 


The  ensemble  average  probability  of  bit  error  is  one-half  for  every  bit  in  a  train, 
regardless  of  interference  level. 


Let  a  bar  over  the  P  indicate  an  ensemble  average.  To  determine  P(w\tb  =  «'),  note 
that  when  tb  =  i  there  are  i  bits  with  an  ensemble  average  probability  of  error  equal  to  one- 
half.  For  no  word  error  to  occur,  each  of  these  i  bits  must  be  correct  and  each  of  the  word 
bits  at  the  input  of  the  deciphering  system  must  be  correct,  for  if  a  word  bit  is  in  error  at 
the  input,  it  will  trigger  an  internal  train.  It  follows  that 


Similarly 


P(u>lfb  =  i)  =  1 


P(w\tb  -  k)  =  1 


From  Kqs.  (15)  through  (17),  we  obtain 


Pb)k- 


(16) 


(17) 


Pcw  *  [l-2-fc(l-P6)*]  (1  -(1  ~Pb)n~k)  u(n-k) 

min(fe—  l,n—  1 ) 

Pb  (1  -P6 )»-•'- ip  -2-'(l  -Pb)k) 

+  [1-(1-P6)*]  (1-Pb)"~i, 


(18) 


which  can  be  put  in  the  form  of  Eq.  (4). 

Equation  (18)  is  the  formula  for  the  general  cryptographic  word  error  rate.  To  obtain 
the  cryptographic  bit  error  rate,  set  k  =  1  in  Eq.  (18);  this  yields 

Pcb  =^d+^)  [l  -(1-P,,)"-1]  +P6(l-Pb)"-l.  (19) 

Approximations  to  the  formulas  can  be  obtained  by  employing  Maclaurin  Series  expan¬ 
sion  about  the  point  Pb  =  0.  By  this  technique  the  plain-text  word  error  rate  given  by  Eq. 
(2)  can  be  shown  to  be  approximately 


Pw  *  *Pb 

under  the  condition  that 

Pb  <  7“— T.  k  >  1. 

k  —  1 


(20) 

(21) 


,  ...  — *,»*~*m*.ju  -1'ttrrritViartiiUTiri.  ..rf.itmii., 


6 


O.J.  TORRIERI 


By  the  same  method,  Eq.  (19)  becomes 


under  the  condition  that 


Pb< 


2 n  +  : 
n(n  ~  1)’ 


n>  1. 


(22) 


(23) 


A  Maclaurin-series  expansion  of  Eq.  (18)  yields 

+  k  -  2  -  2Tk(n  -  k  -  2))Pb,  n  >  k; 

PCw  =  <  (24) 

{[n  +  k  -  2  +  2-<n-1))Pb,  n  <  k. 

The  condition  of  validity  obtained  by  this  procedure  is  too  complicated  to  be  useful. 
Hius  we  derive  Eq.  (24)  by  an  alternative  technique  which  yields  a  simple  condition  of 
validity.  First,  each  of  the  terms  of  the  form  (1  —  Pb  )m  is  expanded  separately,  dropping 
quadratic  and  higher  order  terms.  Substitution  into  Eq.  (18)  yields  an  approximate  expression 
for  Pcw  that  still  contains  quadratic  terms  in  Pb.  If  these  terms  are  dropped,  we  are  left  with 
Eq.  (24).  The  various  conditions  arising  from  each  step  of  this  procedure  can  be  combined 
into  a  single  condition  of  validity: 

Pb  <  min  J(n  -  1)-*,  (25) 

This  condition  is  more  restrictive  than  those  given  in  Eqs.  (21)  and  (23).  Thus  Eq.  (25) 
is  a  sufficient  condition  for  the  validity  of  Eqs.  (20),  (22),  and  (24).  A  slightly  more 
convenient  and  more  restrictive  sufficient  condition  is  given  by  Eq.  (8). 


AN  EXAMPLE:  PSK  MODULATION 

In  this  section  it  is  assumed  that  the  information  is  transmitted  by  means  of  phase 
shift  keying  (PSK).  If  white  Gaussian  noise  is  present  at  the  receiver  input,  the  plain-text 
bit  error  rate  for  an  ideal  receiver  is  given  by  (5) 


where  by  definition 


Note  that  Eq.  (26)  is  in  the  form  of  Eq.  (1). 


(26) 


(27) 


In  this  example  we  let  n  =  60  and  k  =  10.  Application  of  Eqs.  (2),  (3),  (4a),  and 
(26)  leads  to  the  plots  shown  in  Fig.  3.  Alternatively,  according  to  Eq.  (8),  we  could  use 
Eqs.  (5),  (6),  (7),  and  (26)  to  determine  the  points  where  Pb  <  10-4. 


ERROR  RATE 


Fig.  4  —  Degradation  as  a  function  of  plain-text  error  rate 


From  Fig.  3  the  degradation  due  to  the  enciphering  can  be  determined.  In  Fig.  4  the 
degradation  for  a  cryptographic  bit  is  plotted  as  a  function  of  the  plain-text  bit  error  rate. 
In  the  same  figure  the  corresponding  curve  for  a  10-bit  cryptographic  word  is  plotted  as  a 
function  of  the  plaiu-text  word  error  rate. 
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Suppose  1 0-bit  words  are  to  be  transmitted  at  a  word  error  ite  of  10-6.  According 
to  Fig.  4,  an  additional  0.7  dB  of  power  is  required,  when  enciphe.  mg  is  employed,  to 
maintain  the  error  rate.  Assuming  this  power  is  provided,  is  the  p  i  'ormance  of  the 
cryptographic  system  as  good  as  the  plain  text  system?  The  answar  is  usually  no,  due  to 
he  different  costs  of  word  errors  in  these  systems.  A  word  error  in  a  plain-text  system 
usually  involves  a  single  erroneous  bit.  On  the  other  hand,  in  a  cryptographic  system  a  word 
error  usually  implies  several  erroneous  bits.  Thus  the  cryptographic  word  error  causes  a 
more  severe  misinterpretation  of  the  transmitted  data. 

It  is  seen  in  Fig.  4  that  for  a  cryptographic  system,  approximately  1.3  dB  of  extra 
power  are  required  to  maintain  a  bit  error  rate  of  10“ 5 .  Again  the  question  arises  as  to 
the  relative  performance  of  the  cryptographic  and  plain-text  systems.  In  this  case  the  per¬ 
formances  are  usually  comparable.  In  the  cr  /ptographic  system  the  bit  errors  occur  in 
clusters.  Thus  although  there  are  fewer  worn  errors  than  in  the  plain-text  system,  the  bit 
errors  do  greater  damage.  Relative  performance  must  be  determined  by  weighing  the  costs 
of  a  word  error  with  a  single  erroneous  bit  relative  to  those  of  a  word  error  with  several  bit 
errors. 


CORRELATED  BIT  ERRORS 

So  far  it  has  been  assumed  that  at  the  input  to  the  deciphering  system  bit  errors  occur 
independently  of  each  other.  There  are  many  important  situations  in  which  this  assumption 
is  untenable.  In  this  section  an  example  is  presented  which  indicates  how  the  theory  can 
be  extended  to  handle  correlated  bit  errors. 

It  is  sometimes  desirable  to  encode  cryptographic  or  plain  bits  in  terms  of  bit  transitions. 
For  example,  after  encoding  a  ZERO  may  be  represented  by  a  transition;  a  ONE  may  be 
represented  by  no  transition.  With  this  representation,  the  transmitted  signal  can  be  inverted 
in  polarity  without  affecting  its  interpretation.  This  representation  is  called  differential 
encoding.  It  is  useful  in  phase-locked-loop  systems  and  other  systems  which  have  no  sense 
of  absolute  polarity.  The  original  bits  can  be  recovered  by  sampling  the  differentially  en¬ 
coded  bits  and  comparing  the  polarity  of  adjacent  samples  to  determine  if  a  transition  has 
occurred.  Figure  5  illustrates  a  cryptographic  system  with  differentia]  detection.  We  now 
proceed  to  determine  the  word  and  bit  error  rates  at  the  output  of  the  deciphering  system. 


Fig.  5  —  Cryptographic  system  with  differentia)  detector 


The  calculation  of  the  word  error  rate  is  a  straightforward  but  extremely  tedious  ex¬ 
tension  of  the  method  used  for  the  uncorrelated  bit  error  case.  The  reason  for  the  complex¬ 
ity  will  now  be  explained.  Consider  two  consecutive  bits  at  the  input  of  the  differential 
detector.  Since  the  detector  compares  the  polarity  of  adjacent  bits,  bit  errors  will  usually 
occur  in  pairs.  The  exception  is  when  the  two  consecutive  bits  are  both  in  error.  Then  the 
second  bit  at  the  output  of  the  detector  will  be  correct,  since  the  relative  state  of  the  second 
input  bit  is  unchanged  with  resj-  jet  to  the  first  input  bit.  Taking  the  latter  situation  inti 
account  is  what  makes  the  analysis  difficult.  If  Pb  is  small,  as  is  normally  true  in  practical 
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systems,  we  can  obtain  accurate  asymptotic  formulas  by  ignoring  the  latter  anomaly.  Thus 
we  assume  that  a  bit  error  at  the  input  of  the  differential  detector  will  always  cause  two 
consecutive  erroneous  bits  at  the  output  of  the  detector. 

Under  the  latter  assumption  the  trains  will  be  n  +  1  bits  long.  Cleariy,  Eq.  (11)  will 
remain  the  same  as  in  the  previous  derivation.  Equations  (10)  and  (13)  must  be  modified 
by  substituting  n  +  1  for  the  symbol  n  in  these  relations.  However,  Eq.  (14)  is  altered  in 
a  different  manner.  The  reason  is  that  for  tb  =  /,  where  1  <  i  <  ft,  it  is  necessary  that 
there  be  an  error  at  the  input  to  the  detector  precisely  n  —  i  +  1  bits  prior  to  the  word. 

The  bit  located  exactly  n  —  i  bits  prior  to  the  word  is  then  automatically  erroneous  at  the  de¬ 
tector  output,  according  to  our  assumption.  It  is,  however,  necessary  that  there  be  no  errors 
among  the  n  —  i  —  1  bits  preceding  the  word  at  the  input  to  the  detector.  From  these 
considerations,  we  have 


P(tb  =  i)  = 


Pb  (1  -Pfc)"-'-1, 

Pb' 

0, 


n  >  i; 

n  =  i;  (28) 

n  <i 


Similar  reasoning  shows  that  Eqs.  (16)  and  (17)  remain  unchanged  except  when  tb  =  rt. 
In  this  case,  P(w\tb  =  n)  =  1  because  of  the  initial  assumption. 


Using  the  same  methods  previously  employed  and  some  algebraic  manipulation,  it 
follows  that  the  asymptotic  formulas  for  word  and  bit  error  rates  of  the  system  of  Fig.  5 
are 


+  ft 

-1  — (n-fe-1)]  Pb 

n  >  ft; 

+  ft 

—  !  —  2— ("-D]  Pb, 

n  <  ft. 

(29) 

Pcb 

n  >  1; 

(30) 

(2P&. 

n  =  1. 

Equations  (29)  and  (30)  could  not  have  been  obtained  directly  by  substituting  n  +  1  for  the 
symbol  n  in  Eqs.  (22)  and  (24).  When  n  =  1,  it  is  seen  that  Pcb  =  2 Pb,  which  is  a  restate¬ 
ment  of  our  initial  assumption  concerning  the  operation  of  the  differential  detector.  A 
sufficient  condition  for  the  validity  of  Eqs.  (29)  and  (30)  can  be  given  once  again  by  Eq.  (8). 


In  the  previous  example  of  PSK  modulation  with  n  =  60  and  k  =  10,  it  is  seen  that  the 
differential  encoding  causes  utterly  negligible  degradation  for  small  val  res  of  Pb. 
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